Wim Remes SOURCE Boston 2011

Among the blind, the squinter rules. Security visualization in the ﬁeld

About me Wim Remes .Ernst and Young Belgium (ITRA FSO) .Incident Response/Analysis .Security Monitoring (SIEM) .Security Management .Eurotrash podcast .InfosecMentors .Brucon @wimremes on twitter wremes-at-gmail-dot-com

DisclaimerThe opinions and ideasexpressed in this talkare my own and are notendorsed by anycorporate entityor church.

Agenda 1. please your audience 2. tools can [save|kill] your day 3. visualization hall of fail 4. tips & tricks 5. Let’s get to work

-1-please your audience

Changing the tune keeps people engagedpicture by tochis :http://www.flickr.com/photos/tochis/

who’s that for ? Management Technical Historical Comparative (Near) Real Time Supporting Decisions More complex & Business Objectives Facilitating the job Clear & Concise Actionable! Actionable ! 42

you’re the designer

Zen master of data visualization Edward Tufte data can be beautiful! data should be beautiful!

Dashboard design guru Stephen Few “The sad thing about dancing bearware is that most people are quite satisfied with the lumbering beast.” Alan Cooper, 1999, the inmates are running the asylum.

-2-Tools can [save|kill] your day

What tools can I use ? cool kids use this (not!)

What tools can I use ? - Desktop - Server

Security tools will help ... PS : export to CSV works well ... try it for a 5000+ host network ;)

credit where credit is due ...

this is going in the right direction...

Open source it is then ... grep sed awk perl ... http://www.secviz.org kudos to @zrlram

-3-visualization hall of fail

PIE, it’s what’s in your face

whoa, I take the biggest piece !

sometimes however, they rock ...

to explain simple stuff ;-)

“if bullet points are the obviouskillers, pie charts are shurikens”

Even the best can fail...

failing in style ...

playing hide and seek ?

we have to raise the bar or maybe not ...

Sometimes it’s easy ... a 21st century bar(r) chart

-4-tips & tricks

sparklines (aka datawords)

Infographs 5 6 7 8 9 10 11 12 13 courtesy of ZoneAlarm (by Checkpoint)

choose your chart wisely http://www.ﬂickr.com/photos/amit-agarwal/3196386402/

Get data from external sources - osvdb.org - datalossdb.org - various industry reports - Verizon DBIR - EY GISS - Trustwave, McAfee, Symantec, ... - virustotal.com - cvedetails.com context creates clarity

让我们作的更好 (let’s make things better) Vulnerabilities by Severity Level 5 3D? 4 3 2 1 0 25 50 75 100 compared to ? last year? last month?

Messy Dashboards (1/5)

Messy Dashboards (2/5) network status

Messy Dashboards (3/5) 1500 Events/Second 1125 750 375 0 12:00 12:10 12:20 12:30 12:40 12:50 13:00

Messy Dashboards (4/5) Top attackers 10.10.10.10 192.168.10.234 172.30.12.15 8.8.8.8 Top targets 172.16.12.30 172.16.12.15 172.16.12.230 172.16.12.120

Messy Dashboards (5/5) Local Network - Inbound bytes 4000 3000 2000 1000 0 9:00 10:00 11:00 12:00 13:00

server health network status Windows Unix Network1500 Events/Second Major Events1125 worms 750 portscans 375 failed logins 0 FTP 12:00 12:10 12:20 12:30 12:40 12:50 13:00 0 15 30 45 60 Top attackers Top targets 10.10.10.10 172.16.12.30 192.168.10.234 172.16.12.15 172.30.12.15 172.16.12.230 8.8.8.8 172.16.12.120 Local Network - Inbound bytes 4000 3000 2000 1000 0 9:00 10:00 11:00 12:00 13:00

3,1415926535897932384626433832

Blink...Understand DE CN US NL US US BE Great Lakes KEYWEB TimeNet VolumeDrive EuroAccess RoadRunner ISPSYSTEM-AS Comnet AS

Ok, we can still say it with pie NL CN BE DE US

-5-let’s get to work

Davix | gltail ruby | real time | logs http://www.fudgie.org/ http://dataviz.com.au/blog/Visualizing_VOIP_attacks.html

Davix | afterglow credit: David Bernal Michelena http://www.honeynet.org/challenges/2010_5_log_mysteries

Burpdot http://un-excogitate.org/

Google Charts API http://code.google.com/apis/chart/ http://search.cpan.org/dist/URI-GoogleChart/

Google Visualization API

Google Visualization APINevada;7526;6/11/10;Theft;Network ServerTexas;600;5/29/10;Theft;Network ServerCalifornia;1000;5/25/10 and 5/26/2010;Other;PaperArizona;5893;5/15/10;Theft;LaptopKansas;1105;5/12/10;Theft;LaptopSouth Carolina;653;5/09/10;Theft;LaptopTexas;4083;5/04/10;Improper Disposal;Paper RecordsMaryland;937;5/03/10;Other;E-mailMichigan;2300;5/02/10;Theft;LaptopNew York;1020;4/30/10;Theft, Unauthorized Access;Laptop, Desktop Computer, ... http://code.google.com/apis/ajax/playground/? type=visualization#tree_map

jquery libraries (almost) CC BY-NC 3.0 (To the cloud !)

Conclusions - We need data standardization badly - Understand your data - We need to think outside the box - There’s more to visualization than pie charts - There’s tools out there: use them wisely

Thank you wremes@gmail.com - @wimremes

Wim Remes SOURCE Boston 2011

by SOURCE Conference

Accessibility

Categories

Upload Details

Usage Rights

1 Embed 1

Statistics

Wim Remes SOURCE Boston 2011 Presentation Transcript